b'             Audit Report \n\n\n\n\n\nOIG-11-036\nAUDIT REPORT\nINFORMATION TECHNOLOGY: Treasury is Generally in Compliance\nwith Executive Order 13103\n\nNovember 17, 2010\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0cContents \n\n\nAudit Report.................................................................................................. 3 \n\n\n    Results in Brief ............................................................................................. 4 \n\n\n    Background ................................................................................................. 4 \n\n\n    Findings and Recommendations ..................................................................... 5 \n\n\nAppendices\n\n    Appendix 1:          Management Comments ........................................................ 11\n    Appendix 2:          Major Contributors to This Report ........................................... 14\n    Appendix 3:          Report Distribution ................................................................ 15\n\nAbbreviations\n\n    CIO                  Chief Information Officer\n    EO                   Executive Order\n    OCIO                 Office of the Chief Information Officer\n    OIG                  Treasury Office of Inspector General\n    TD                   Treasury Directive\n\n\n\n\n                         Treasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)         Page 2\n\x0c                                                                                     Audit\nOIG\nThe Department of the Treasury\n                                                                                     Report\nOffice of Inspector General\n\n\n\n\n                  November 17, 2010\n\n                  Diane Litman\n                  Acting Deputy Assistant Secretary for Information Systems\n                     and Chief Information Officer\n                  Department of the Treasury\n\n                  The objective of this audit was to determine whether the\n                  Department of the Treasury (Treasury) is in compliance with\n                  Executive Order (EO) 13103, Computer Software Piracy, which\n                  directs executive agencies to work diligently to prevent and combat\n                  computer software piracy and to ensure that their policies,\n                  procedures, and practices are adequate and fully implement the EO.\n                  We performed this audit at the request of the Office of the Chief\n                  Information Officer (OCIO).\n\n                  To accomplish our objective, we examined Treasury\xe2\x80\x99s relevant\n                  policy and procedures and interviewed Treasury officials about\n                  promoting legal software use and proper software management.\n                  We conducted our fieldwork in Washington, D.C., from May 2010\n                  through August 2010.\n\n                  We performed this audit in accordance with generally accepted\n                  government auditing standards. Those standards require that we\n                  plan and perform the audit to obtain sufficient and appropriate\n                  evidence to provide a reasonable basis for our findings and\n                  conclusions based on our audit objectives. We believe that the\n                  evidence obtained provides a reasonable basis for our findings and\n                  conclusions based on our audit objectives.\n\n\n\n\n                  Treasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 3\n\x0cResults in Brief\n               We determined that Treasury is generally in compliance with EO\n               13103, but Treasury\xe2\x80\x99s policy and procedures could be improved to\n               ensure compliance. Specifically, we found the following:\n\n                   1. Treasury Directive (TD) 85-02, Software Piracy Policy, needs\n                      some clarification.\n                   2. The Treasury Chief Information Officer (CIO) needs to create\n                      and manage an enterprise list of authorized software and\n                      maintain an accurate inventory of installed software.\n                   3. The Treasury CIO needs department-wide procedures for\n                      auditing and tracking software licenses.\n\n               We are making six recommendations to the Treasury CIO to\n               address the findings noted above.\n\n               In a written response, the Acting Treasury CIO agreed with our\n               findings and recommendations and provided plans for corrective\n               actions that are responsive to the intent of our recommendations\n               (see appendix 1).\nBackground\n               EO 13103 was signed by the President on September 30, 1998. It\n               directed, among other things, that\n\n               \xe2\x80\xa2\t each executive agency adopt procedures to ensure that it does\n                  not acquire, reproduce, distribute, or transmit computer\n                  software in violation of applicable copyright laws; and\n               \xe2\x80\xa2\t each executive agency establish procedures to ensure that it\n                  uses only computer software not in violation of applicable\n                  copyright laws.\n\n               OCIO provides leadership to Treasury and its bureaus in all areas of\n               information and technology management. It has department-wide\n               responsibility for directing and developing Treasury\xe2\x80\x99s information\n               technology strategy, managing information technology\n               investments, and leading key technology initiatives.\n\n\n\n\n               Treasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 4\n\x0cTD 85-02, approved on May 4, 2010, assigns responsibilities and\nestablishes procedures and practices for Treasury\xe2\x80\x99s implementation\nof EO 13103.\n\nAccording to the directive, it is the responsibility of the Treasury\nCIO to:\n\n\xe2\x80\xa2\t develop and implement an enterprise-level plan that ensures that\n   the department is in compliance with the executive order;\n\xe2\x80\xa2\t coordinate with Treasury bureaus and offices to perform an\n   initial assessment of existing policies and practices with respect\n   to use and management of computer software;\n\xe2\x80\xa2\t maintain an enterprise list of department-authorized and\n   supported software that indicates terms of licenses, authorized\n   number of users, and physical location of software;\n\xe2\x80\xa2\t conduct periodic spot audits to ensure that Treasury bureaus\n   and offices are in compliance with software licensing\n   agreements; and\n\xe2\x80\xa2\t establish centralized software acquisition.\n\nAdditionally, the heads of bureaus and offices are assigned the\nresponsibility to:\n\n\xe2\x80\xa2\t establish clear responsibility and authority within the\n   organization for managing software licenses;\n\xe2\x80\xa2\t establish and maintain an accurate software inventory for both\n   newly acquired software and software already purchased;\n\xe2\x80\xa2\t conduct and report annually to the OCIO, software inventory\n   reviews which reconcile purchase against the inventory;\n\xe2\x80\xa2\t establish and implement procedures for disposal of software in\n   accordance with guidance provided in the software licenses\n   agreement; and\n\xe2\x80\xa2\t conduct periodic audit checks (i.e., spot audits) to ensure that\n   their respective bureaus and offices are in compliance with\n   software license agreements.\n\n\n\n\nTreasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 5\n\x0cFindings and Recommendations\n\nFinding 1 \t   TD 85-02, Software Piracy Policy, Needs Some\n              Clarification\n\n              We found that TD 85-02\xe2\x80\x99s compliance with EO 13103 could be\n              improved. We found two areas in TD 85-02 that need clarification:\n\n              \xe2\x80\xa2\t Its definition of authorized software\xe2\x80\x94\xe2\x80\x9csoftware developed,\n                 approved, purchased, or licensed by an agency\xe2\x80\x9d\xe2\x80\x94is too broad\n                 because the definition allows any purchased software to be\n                 called authorized.\n              \xe2\x80\xa2\t It requires reconciliation of bureaus\xe2\x80\x99 and offices\xe2\x80\x99 software\n                 inventories with purchases rather than with software license\n                 agreements. The current wording in the directive states that\n                 bureaus and offices are to \xe2\x80\x9cconduct and report annually, to the\n                 Office of the Chief Information Officer, software inventory\n                 reviews which reconcile purchases against the inventory.\xe2\x80\x9d\n\n              Additionally, while TD 85-02 requires creation of an authorized\n              software inventory, the policy is lacking adequate guidance in\n              ensuring compliance with this inventory. Specifically:\n\n              \xe2\x80\xa2\t It does not contain a statement requiring bureau and office\n                 heads to ensure that software in their inventory is on the\n                 Treasury list of authorized software.\n              \xe2\x80\xa2\t It does not require the CIO to perform periodic audit checks to\n                 determine if the bureaus and offices are only using software on\n                 the Treasury list of authorized software.\n\n              EO 13103 requires that each executive agency establish\n              procedures to ensure that it uses only computer software not in\n              violation of applicable copyright laws.\n\n              Based on the requirements of TD 85-02, Treasury cannot be sure\n              that only authorized, licensed software is installed on its systems.\n              Accordingly, Treasury could unknowingly be in violation of EO\n              13103.\n\n\n\n\n              Treasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 6\n\x0c              Recommendation\n\n              1. We recommend that the Treasury CIO revise TD 85-02 as\n                 follows:\n\n              \xe2\x80\xa2\t Define authorized software more specifically.\n              \xe2\x80\xa2\t Require heads of bureaus and offices to ensure that software in\n                 their inventory is on the Treasury list of authorized software and\n                 remove it if it is not.\n              \xe2\x80\xa2\t Require the CIO to perform periodic audit checks to determine if\n                 the bureaus and offices are only using software on the Treasury\n                 list of authorized software.\n              \xe2\x80\xa2\t Require the bureaus and offices to reconcile their inventory with\n                 software license agreements, rather than with software\n                 purchases.\n\n              Management Response\n\n              The Acting Treasury CIO agreed with our finding and\n              recommendation. Treasury will revise TD 85-02 to incorporate the\n              recommended changes.\n\n              OIG Comment\n\n              The Acting Treasury CIO\xe2\x80\x99s planned actions are responsive to our\n              recommendation.\n\nFinding 2 \t   The Treasury CIO Needs to Create and Manage an\n              Enterprise List of Authorized Software and Maintain an\n              Accurate Inventory of Installed Software\n\n              During our audit, we found that the Treasury CIO did not have an\n              enterprise list of authorized software or maintain an inventory of\n              installed software for Treasury bureaus and offices. Additionally,\n              Treasury CIO did not have procedures for creating or managing an\n              enterprise list of authorized software.\n\n              As previously noted, EO 13103 requires that each executive\n              agency establish procedures to ensure that it uses only computer\n              software not in violation of applicable copyright laws. These\n\n\n              Treasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 7\n\x0cprocedures may include preparing agency inventories of the\nsoftware on its computers and developing and maintaining\nadequate recordkeeping systems. In addition, TD 85-02 states that\nthe Treasury CIO will maintain \xe2\x80\x9can enterprise list of Department\nauthorized and supported software.\xe2\x80\x9d\n\nLack of an enterprise list of authorized software and an inventory\nof installed software puts Treasury at risk of unknowingly having\nunauthorized and possibly illegal software on its systems. The\npresence of such software could result in financial liability for the\ndepartment and could also introduce vulnerabilities to Treasury\nsystems. During our audit, for example, we examined a list of\ninstalled software for one Treasury bureau that included several\ninstances of questionable software.\n\nRecommendations\n\nWe recommend that the Treasury CIO do the following:\n\n2. Develop procedures to create and manage a list of approved\n   enterprise authorized software.\n3. Maintain an accurate inventory of installed software.\n4. Ensure that bureaus remove unauthorized software from\n   Treasury systems.\n\nManagement Response\n\nThe Acting Treasury CIO agreed with our finding and\nrecommendations. Treasury will develop procedures for managing\nan enterprise list of approved software, maintain an inventory of\ninstalled software, and ensure removal of unauthorized software.\n\nOIG Comment\n\nThe Acting Treasury CIO\xe2\x80\x99s planned actions are responsive to our\nrecommendations.\n\n\n\n\nTreasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 8\n\x0cFinding 3 \t   The Treasury CIO Needs Department-wide Procedures for\n              Auditing and Tracking Software Licenses\n\n              TD 85-02 sets forth Treasury\xe2\x80\x99s department-wide policy regarding\n              the use of licensed software. The directive states that it is the\n              policy of the department to utilize only \xe2\x80\x9ccopies of licensed\n              authorized software, purchased by the Department of the Treasury\n              Bureaus and Offices in accordance with the authorized software\n              license terms.\xe2\x80\x9d However, the department has not yet developed\n              procedures for ensuring this is carried out. For example, among\n              other things, during its monthly data calls to bureaus and offices,\n              the OCIO does not collect or address software licensing\n              information. In addition, Treasury procured a software management\n              tool that performs license tracking and inventory, but has not\n              deployed it Treasury-wide.\n\n              TD 85-02 also states that the Treasury CIO is responsible for\n              developing and implementing an enterprise-level plan that ensures\n              that the department is in compliance with EO 13103 and for\n              conducting periodic audit checks to ensure that bureaus and offices\n              are in compliance with software license agreements.\n\n              By not having procedures in place to support its policy, Treasury is\n              at risk that it will not be in compliance with software licensing\n              terms.\n\n              Recommendations\n\n              We recommend that Treasury CIO do the following:\n\n              5. Establish and implement department-wide procedures for\n                 auditing and tracking software licenses.\n              6. Complete deployment of the software management tool.\n\n\n              Management Response\n\n              The Acting Treasury CIO agreed with our finding and\n              recommendations. Treasury is in the process of deploying a\n              software tool to establish consistent procedures for auditing and\n              tracking software licenses.\n\n\n              Treasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 9\n\x0cOIG Comment\n\nThe Acting Treasury CIO\xe2\x80\x99s reported actions are responsive to our\nrecommendations.\n\n\n                                  ******\n\nI would like to extend my appreciation to the OCIO staff for the\ncooperation and courtesies extended to my staff during the audit. If\nyou have any questions, please contact me at (202) 927-5171 or\nAbdirahman Salah, Audit Manager, at (202) 927-5763. Major\ncontributors to this report are listed in appendix 2.\n\n/s/\n\nTram Jacquelyn Dang\nAudit Director\n\n\n\n\nTreasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 10\n\x0cAppendix 1\nManagement Response\n\n\n\n\nTreasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 11\n\n\x0cAppendix 1\nManagement Response\n\n\n\n\nTreasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 12\n\n\x0cAppendix 1\nManagement Response\n\n\n\n\nTreasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 13\n\n\x0cAppendix 2\nMajor Contributors to this Report\n\n\n\n\nOffice of Inspector General, Office of Information Technology Audit\n\nTram J. Dang, Director, Information Technology Audit\nAbdirahman Salah, Current Audit Manager\nGerald Steere, Former Audit Manager\nSusan I. Roy, Former Audit Manager\nLarissa Klimpel, Information Technology Specialist (Lead)\nJason Brown, Information Technology Specialist\nDan Jensen, Information Technology Specialist\n\n\n\n\nTreasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 14\n\x0cAppendix 3\nDistribution List\n\n\n\n\nDepartment of the Treasury\n\nOffice of the Chief Information Officer\nOffice of Accounting and Internal Control\nOffice of Strategic Planning and Performance Management\n\nOffice of Management and Budget\n\nOffice of Inspector General Budget Examiner\n\n\n\n\nTreasury is Generally in Compliance with Executive Order 13103 (OIG-11-036)   Page 15\n\x0c'